From nobody Thu May 2 05:05:19 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1555592457; cv=none; d=zoho.com; s=zohoarc; b=Bh66K3BYGBhZhp1QXdWNAtr60xb7Rnib99lvkoH/7Ea70bG8JNKIED0JR9uG6XkIgxAco1kq0yre4iOnleuNRniqjnDpZR9+M8begf5PSaCLNVZ6xE1Ktz6T4Qnh0YIf0qmSm+91PD1ofacJgc7pTgwYpQGu9zHc43KR5k7N0eA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1555592457; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=vfp8wxncRAVl3DKSwe7oQzI4oeYtWpBfF/S6A900M+o=; b=d2+aJjtpxFZ1c7vL+ySMpcicol2DJDwfK16bKSbJMySxVM8pM8Pk3e3pwX1cZ8RPJ0e8i5kIQWOfr3hwN217dbzDm6TdDct971u2rV+apYnday5vxZgtD5FZyshVCCXFIiG8AwKWPD8BL5qzabrBiV5wJBVS3QM3LxcE8hQU9zs= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1555592457097810.6333108363892; Thu, 18 Apr 2019 06:00:57 -0700 (PDT) Received: from localhost ([127.0.0.1]:41225 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hH6ed-0004x4-Oi for importer@patchew.org; Thu, 18 Apr 2019 09:00:39 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40038) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hH6dM-0004Kd-60 for qemu-devel@nongnu.org; Thu, 18 Apr 2019 08:59:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hH6dK-00076U-5o for qemu-devel@nongnu.org; Thu, 18 Apr 2019 08:59:19 -0400 Received: from mx1.redhat.com ([209.132.183.28]:33882) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hH6dJ-000746-Ts for qemu-devel@nongnu.org; Thu, 18 Apr 2019 08:59:18 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 15C7A305396A; Thu, 18 Apr 2019 12:59:17 +0000 (UTC) Received: from localhost (ovpn-112-32.ams2.redhat.com [10.36.112.32]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0185919C65; Thu, 18 Apr 2019 12:59:13 +0000 (UTC) From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= To: qemu-devel@nongnu.org Date: Thu, 18 Apr 2019 14:59:07 +0200 Message-Id: <20190418125908.11928-2-marcandre.lureau@redhat.com> In-Reply-To: <20190418125908.11928-1-marcandre.lureau@redhat.com> References: <20190418125908.11928-1-marcandre.lureau@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Thu, 18 Apr 2019 12:59:17 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 1/2] slirp: ensure there is enough space in mbuf to null-terminate X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jan Kiszka , Prasad J Pandit , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Samuel Thibault Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" Prevents from buffer overflows. Related to: https://bugzilla.redhat.com/show_bug.cgi?id=3D1664205 Cc: Prasad J Pandit Signed-off-by: Marc-Andr=C3=A9 Lureau --- slirp/src/tcp_subr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c index fde9207b0c..c43598de48 100644 --- a/slirp/src/tcp_subr.c +++ b/slirp/src/tcp_subr.c @@ -644,6 +644,7 @@ tcp_emu(struct socket *so, struct mbuf *m) memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); so_rcv->sb_wptr +=3D m->m_len; so_rcv->sb_rptr +=3D m->m_len; + m_inc(m, m->m_len + 1); m->m_data[m->m_len] =3D 0; /* NULL terminate */ if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) { if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) =3D=3D 2) { @@ -677,6 +678,7 @@ tcp_emu(struct socket *so, struct mbuf *m) } =20 case EMU_FTP: /* ftp */ + m_inc(m, m->m_len + 1); *(m->m_data+m->m_len) =3D 0; /* NUL terminate for strstr */ if ((bptr =3D (char *)strstr(m->m_data, "ORT")) !=3D NULL) { /* @@ -774,6 +776,7 @@ tcp_emu(struct socket *so, struct mbuf *m) /* * Need to emulate DCC CHAT, DCC SEND and DCC MOVE */ + m_inc(m, m->m_len + 1); *(m->m_data+m->m_len) =3D 0; /* NULL terminate the string for strstr */ if ((bptr =3D (char *)strstr(m->m_data, "DCC")) =3D=3D NULL) return 1; --=20 2.21.0.313.ge35b8cb8e2 From nobody Thu May 2 05:05:19 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1555592557; cv=none; d=zoho.com; s=zohoarc; b=MaP2QemToTsZmPfpIAtKMdyfGoldKw623C4IAD07xAWejnrpd+N0y1ls7feiCAT7gsv9d6AWXFjajCG8P4U5BK9TQsi5Tdwi2tVcYcl+NNr4Kh3GIsIwFzevOKjtKldOxSlDh4BvxKNjmmky6J/X5Jyv8pxfhflNaFlM0AJMOds= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1555592557; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=evw+y3qouhgP9LW0N8PNEsc/xfNe1ZaHb9HFfdPs/W8=; b=oq16VbQ6Pezk8GWAxfSj7mBIQbpSWq/ajrjIF6eGXP9SSjeRGpXggoFQWTGT/+Ue8OSSY4qgzeGSVRQt8ER2lueqVqg9naMvxpEfNiPtkgT2IgVqi09rv7RQu/877xiJNiESBWFqtvOLV9XggQKFbsjxOSHkp+DBtFGStxiOsRA= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 15555925577261010.1627559537616; Thu, 18 Apr 2019 06:02:37 -0700 (PDT) Received: from localhost ([127.0.0.1]:41275 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hH6gU-0006FO-QT for importer@patchew.org; Thu, 18 Apr 2019 09:02:34 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40070) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hH6dT-0004RI-Kj for qemu-devel@nongnu.org; Thu, 18 Apr 2019 08:59:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hH6dQ-0007Bt-5s for qemu-devel@nongnu.org; Thu, 18 Apr 2019 08:59:27 -0400 Received: from mx1.redhat.com ([209.132.183.28]:8077) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hH6dN-000796-V0 for qemu-devel@nongnu.org; Thu, 18 Apr 2019 08:59:23 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DA7E181DF1; Thu, 18 Apr 2019 12:59:20 +0000 (UTC) Received: from localhost (ovpn-112-32.ams2.redhat.com [10.36.112.32]) by smtp.corp.redhat.com (Postfix) with ESMTP id 817285D9C5; Thu, 18 Apr 2019 12:59:18 +0000 (UTC) From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= To: qemu-devel@nongnu.org Date: Thu, 18 Apr 2019 14:59:08 +0200 Message-Id: <20190418125908.11928-3-marcandre.lureau@redhat.com> In-Reply-To: <20190418125908.11928-1-marcandre.lureau@redhat.com> References: <20190418125908.11928-1-marcandre.lureau@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 18 Apr 2019 12:59:20 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 2/2] slirp: don't manipulate so_rcv in tcp_emu() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jan Kiszka , Prasad J Pandit , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Samuel Thibault Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" For some reason, EMU_IDENT is not like other "emulated" protocols and tries to reconstitute the original buffer, if it came in multiple packets. Unfortunately, it does so wrongly, as it doesn't respect the sbuf circular buffer appending rules, nor does it maintain some of the invariants (rptr is incremented without bounds, etc): this leads to further memory corruption revealed by ASAN or various malloc errors. Furthermore, the so_rcv buffer is regularly flushed, so there is no guarantee that buffer reconstruction will do what is expected. Instead, do what the function comment says: "XXX Assumes the whole command came in one packet", and don't touch so_rcv. Related to: https://bugzilla.redhat.com/show_bug.cgi?id=3D1664205 Cc: Prasad J Pandit Signed-off-by: Marc-Andr=C3=A9 Lureau --- slirp/src/tcp_subr.c | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c index c43598de48..f4379ae012 100644 --- a/slirp/src/tcp_subr.c +++ b/slirp/src/tcp_subr.c @@ -634,20 +634,9 @@ tcp_emu(struct socket *so, struct mbuf *m) struct socket *tmpso; struct sockaddr_in addr; socklen_t addrlen =3D sizeof(struct sockaddr_in); - struct sbuf *so_rcv =3D &so->so_rcv; =20 - if (m->m_len > so_rcv->sb_datalen - - (so_rcv->sb_wptr - so_rcv->sb_data)) { - return 1; - } - - memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); - so_rcv->sb_wptr +=3D m->m_len; - so_rcv->sb_rptr +=3D m->m_len; - m_inc(m, m->m_len + 1); - m->m_data[m->m_len] =3D 0; /* NULL terminate */ - if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) { - if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) =3D=3D 2) { + if (g_strstr_len(m->m_data, m->m_len, "\r\n") + && sscanf(m->m_data, "%u%*[ ,]%u\r\n", &n1, &n2) =3D=3D 2) { HTONS(n1); HTONS(n2); /* n2 is the one on our host */ @@ -666,15 +655,10 @@ tcp_emu(struct socket *so, struct mbuf *m) } NTOHS(n1); NTOHS(n2); - so_rcv->sb_cc =3D snprintf(so_rcv->sb_data, - so_rcv->sb_datalen, - "%d,%d\r\n", n1, n2); - so_rcv->sb_rptr =3D so_rcv->sb_data; - so_rcv->sb_wptr =3D so_rcv->sb_data + so_rcv->sb_cc; + m->m_len =3D snprintf(m->m_data, m->m_size, + "%d,%d\r\n", n1, n2); } - } - m_free(m); - return 0; + return 1; } =20 case EMU_FTP: /* ftp */ --=20 2.21.0.313.ge35b8cb8e2